What is claimed is: 

1. A method of quantitatively assessing the vulnerability 
of an elementary network unit, including at least one host, 
in which the state of, and application bound to, each port 
is known, the method comprising: 

classifying each port on each host in the elementary 
network unit; and 

determining a quantitative vulnerability rating for the 
elementary network unit in accordance with the 
classification of each port on each host in the elementary 
network unit. 

2. The method of claim 1, wherein classifying each port 
includes : 

determining a network vulnerability rating for each 

port; 

determining an application vulnerability rating for 
each port; and 

determining a port status rating for each port. 

3. The method of claim 2, wherein the network 
vulnerability rating is derived from the status of each 
port, and the application bound to it. 

4. The method of claim 2, wherein determining the 
quantitative vulnerability rating for the elementary network 
unit includes: 

determining, for each port, a port vulnerability rating 
as a function of the network vulnerability rating, the 
application vulnerability rating and the port status rating; 

determining, for each host in the elementary network 
unit, a host vulnerability rating as a function of the port 



vulnerability rating for each port associated with the host; 
and 

determining the quantitative vulnerability rating for 
the elementary network unit as a function of the determined 
host vulnerability ratings for each host in the elementary 
network unit. 

5. The method of claim 2, wherein the network 
vulnerability rating is determined by network protocol 
conventions regarding the assignment of ports. 

6. The method of claim 2, wherein the application 
vulnerability rating is determined by the application bound 
to the port. 

7. The method of claim 6, wherein the application 
vulnerability rating is further determined by a version of 
the application. 

8. The method of claim 6, wherein the application 
vulnerability rating is further determined by an operating 
system associated with the application. 

9. The method of claim 2, wherein the port status rating 
is determined by the state of the port. 

10. The method of claim 9, wherein the state of the port is 
selected from open, closed and filtered. 

11. A application program for quantitatively assessing the 
vulnerability of a computer network based on the state of, 
and application bound to, each port received from a network 



scanning application, the computer network being logically 
grouped into at least one elementary network unit having at 
least one host, comprising: 

classification means for classifying each port on each 
host in the elementary network unit; and 

means for determining a guantitative vulnerability 
rating for the elementary network unit in accordance with 
the classification of each port on each host in the 
elementary network unit. 

12. The application program of claim 11, wherein the 
classification means includes means for determining a 
network vulnerability rating for each port; means for 
determining an application vulnerability rating for each 
port; and means for determining a port status rating for 
each port . 

13. The application program of claim 12, wherein the means 
for determining a quantitative vulnerability rating for the 
elementary network unit includes: 

means for determining, for each port, a port 
vulnerability rating as a function of the network 
vulnerability rating, the application vulnerability rating 
and the port status rating; 

means for determining, for each host in the elementary 
network unit, a host vulnerability rating as a function of 
the port vulnerability rating for each port associated with 
the host; and 

means for determining the quantitative vulnerability 
rating for the elementary network unit as a function of the 
host vulnerability rating for each host in the elementary 
network unit. 
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14. A graphical representation for displaying computer 
network vulnerability, comprising: 

a plot of the computer network divided into elementary 
network units, each elementary network unit having a 
quantitative vulnerability rating. 

15. A method for evaluating risk in a computer network, the 
computer network having at least one elementary network 
unit, comprising: 

determining a quantitative vulnerability rating for 
each elementary network unit; 

determining a risk associated with the computer network 
as a function of the quantitative vulnerability rating. 

16. The method of claim 15, wherein determining the risk 
includes aggregating the quantitative vulnerability rating 
for each elementary network unit. 

17. The method of claim 15, wherein determining the risk 
includes comparing the quantitative vulnerability rating of 
the elementary network unit to a benchmark. 

18. The method of claim 15, wherein determining the risk 
includes comparing the quantitative vulnerability rating of 
the network to a benchmark. 

19. The method of claim 1 wherein the application is a 
service . 



- 24 - 



